Building a Threat-Based Cyber Team

Similar documents
FFIEC Cybersecurity Assessment Tool

RSA NetWitness Suite Respond in Minutes, Not Months

SOLUTION BRIEF RSA NETWITNESS SUITE 3X THE IMPACT WITH YOUR EXISTING SECURITY TEAM

Cyber Maryland 2017: Continuous Innovation and Cyber Incident Response

RSA Security Analytics

Docker and Splunk Development

Incident Response Agility: Leverage the Past and Present into the Future

Building Resilience in a Digital Enterprise

EFFECTIVELY TARGETING ADVANCED THREATS. Terry Sangha Sales Engineer at Trustwave

Testing for cyber resilience tools & techniques for adversary simulation and improved defense

Cyber Defense Maturity Scorecard DEFINING CYBERSECURITY MATURITY ACROSS KEY DOMAINS

Essentials to creating your own Security Posture using Splunk Enterprise

WHITEPAPER ATTIVO NETWORKS THREATDEFEND PLATFORM AND THE MITRE ATT&CK MATRIX

Course Outline Topic 1: Current State Assessment, Security Operations Centers, and Security Architecture

THE EFFECTIVE APPROACH TO CYBER SECURITY VALIDATION BREACH & ATTACK SIMULATION

Are we breached? Deloitte's Cyber Threat Hunting

National Cyber Security Operations Center (N-CSOC) Stakeholders' Conference

Symantec Ransomware Protection

AMP for Endpoints & Threat Grid

Integrated, Intelligence driven Cyber Threat Hunting

Key Technologies for Security Operations. Copyright 2014 EMC Corporation. All rights reserved.

Modernizing InfoSec Training and IT Operations at USF

First Look Showcase. Expanding our prevention, detection and response solutions. Sumedh Thakar Chief Product Officer, Qualys, Inc.

Reducing the Cost of Incident Response

Automated Response in Cyber Security SOC with Actionable Threat Intelligence

SOLUTION BRIEF ASSESSING DECEPTION TECHNOLOGY FOR A PROACTIVE DEFENSE

SIEM Solutions from McAfee

Incident Response Services to Help You Prepare for and Quickly Respond to Security Incidents

First Look Showcase. Expanding our prevention, detection and response solutions. Marco Rottigni Chief Technical Security Officer, Qualys, Inc.

4/13/2018. Certified Analyst Program Infosheet

SentinelOne Technical Brief

Incident Scale

NOTHING IS WHAT IT SIEMs: COVER PAGE. Simpler Way to Effective Threat Management TEMPLATE. Dan Pitman Principal Security Architect

Critical Hygiene for Preventing Major Breaches

DATA SHEET RISK & CYBERSECURITY PRACTICE EMPOWERING CUSTOMERS TO TAKE COMMAND OF THEIR EVOLVING RISK & CYBERSECURITY POSTURE

THE SIX ESSENTIAL CAPABILITIES OF AN ANALYTICS-DRIVEN SIEM

10 KEY WAYS THE FINANCIAL SERVICES INDUSTRY CAN COMBAT CYBER THREATS

Continuous protection to reduce risk and maintain production availability

Sustainable Security Operations

RSA INCIDENT RESPONSE SERVICES

ISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002

RSA INCIDENT RESPONSE SERVICES

An Aflac Case Study: Moving a Security Program from Defense to Offense

Protecting Against Modern Attacks. Protection Against Modern Attack Vectors

Analytics Driven, Simple, Accurate and Actionable Cyber Security Solution CYBER ANALYTICS

Fidelis Overview. 15 August 2016 ISC2 Cyber Defense Forum

Fidelis Overview. ISC 2 DoD and Industry Forum. Rapid Detection and Automated Incident Response DoD & Commercial Active Defense Use Cases

The SANS Institute Top 20 Critical Security Controls. Compliance Guide

Create Dashboards that People Love

SentinelOne Technical Brief

SOLUTION BRIEF RSA NETWITNESS EVOLVED SIEM

SECURITY SERVICES SECURITY

Need for Speed: Unleashing the Power of SecOps with Adaptive Response. Malhar Shah CEO, Crest Data Systems Meera Shankar Alliance Manager, Splunk

ATTIVO NETWORKS THREATDEFEND INTEGRATION WITH MCAFEE SOLUTIONS

DATA SHEET RSA NETWITNESS PLATFORM PROFESSIONAL SERVICES ACCELERATE TIME-TO-VALUE & MAXIMIZE ROI

Designing and Building a Cybersecurity Program

Introducing MVISION. Cohesive Cloud-based Management of Threat Countermeasures and Devices Leveraging Built-in Device Controls. Jon Parkes.

ARTIFICIAL INTELLIGENCE POWERED AUTOMATED THREAT HUNTING AND NETWORK SELF-DEFENSE

Running Splunk Enterprise within Docker

THREAT INTEL AND CONTENT CURATION: ORGANIZING THE PATH TO SUCCESSFUL DETECTION

Panelists. Moderator: Dr. John H. Saunders, MITRE Corporation

Arbor Networks Spectrum. Wim De Niel Consulting Engineer EMEA

Securing Dynamic Data Centers. Muhammad Wajahat Rajab, Pre-Sales Consultant Trend Micro, Pakistan &

IBM Security Network Protection Solutions

WHITEPAPER ATTIVO NETWORKS DECEPTION TECHNOLOGY FOR MERGERS AND ACQUISITIONS

Cisco Cyber Range. Paul Qiu Senior Solutions Architect

From Managed Security Services to the next evolution of CyberSoc Services

CyberArk Privileged Threat Analytics

Cyber Threat Intelligence Standards - A high-level overview

DB Connect Is Back. and it is better than ever. Tyler Muth Denis Vergnes. September 2017 Washington, DC

An Operational Cyber Security Perspective on Emerging Challenges. Michael Misumi CIO Johns Hopkins University Applied Physics Lab (JHU/APL)

Cognito Detect is the most powerful way to find and stop cyberattackers in real time

CTI Capability Maturity Model Marco Lourenco

Cloud and Cyber Security Expo 2019

THE EVOLUTION OF SIEM

RiskSense Attack Surface Validation for IoT Systems

CloudSOC and Security.cloud for Microsoft Office 365

Stopping Advanced Persistent Threats In Cloud and DataCenters

ADVANCED THREAT PREVENTION FOR ENDPOINT DEVICES 5 th GENERATION OF CYBER SECURITY

RSA ADVANCED SOC SERVICES

Technology Risk Management in Banking Industry. Rocky Cheng General Manager, Information Technology, Bank of China (Hong Kong) Limited

Evolution Of Cyber Threats & Defense Approaches

ICS Security Monitoring

Building and Instrumenting the Next- Generation Security Operations Center. Sponsored by

Symantec & Blue Coat Technical Update Webinar 29. Juni 2017

CYBERSECURITY MATURITY ASSESSMENT

Zero Trust on the Endpoint. Extending the Zero Trust Model from Network to Endpoint with Advanced Endpoint Protection

Surprisingly Successful: What Really Works in Cyber Defense. John Pescatore, SANS

INCIDENT HANDLING & RESPONSE PROFESSIONAL VERSION 1

Make IR Effective with Risk Evaluation and Reporting

SIEMLESS THREAT MANAGEMENT

Real-time, Unified Endpoint Protection

SIEMLESS THREAT DETECTION FOR AWS

BUILDING AND MAINTAINING SOC

Traditional Security Solutions Have Reached Their Limit

esendpoint Next-gen endpoint threat detection and response

empow s Security Platform The SIEM that Gives SIEM a Good Name

RSA Advanced Security Operations Richard Nichols, Director EMEA. Copyright 2015 EMC Corporation. All rights reserved. 1

Colin Gibbens Director, Product Management

align security instill confidence

Transcription:

Building a Threat-Based Cyber Team Anthony Talamantes Manager, Defensive Cyber Operations Todd Kight Lead Cyber Threat Analyst Sep 26, 2017 Washington, DC

Forward-Looking Statements During the course of this presentation, we may make forward-looking statements regarding future events or the expected performance of the company. We caution you that such statements reflect our current expectations and estimates based on factors currently known to us and that actual events or results could differ materially. For important factors that may cause actual results to differ from those contained in our forward-looking statements, please review our filings with the SEC. The forward-looking statements made in this presentation are being made as of the time and date of its live presentation. If reviewed after its live presentation, this presentation may not contain current or accurate information. We do not assume any obligation to update any forward looking statements we may make. In addition, any information about our roadmap outlines our general product direction and is subject to change at any time without notice. It is for informational purposes only and shall not be incorporated into any contract or other commitment. Splunk undertakes no obligation either to develop the features or functionality described or to include any such feature or functionality in a future release. Splunk, Splunk>, Listen to Your Data, The Engine for Machine Data, Splunk Cloud, Splunk Light and SPL are trademarks and registered trademarks of Splunk Inc. in the United States and other countries. All other brand names, product names, or trademarks belong to their respective owners. 2017 Splunk Inc. All rights reserved.

Johns Hopkins University Applied Physics Lab University Affiliated Research Center Sponsors include DOD, NASA, DHS, IC 6,000+ staff $1.5 B revenue

Common Themes Change in Threat Landscape The Philosophy of Security Posture vs. Capability Posture The value of making multi-faceted change in Technology, People, and Process Implementing new Core competencies including Research, Adaptive Red Team, DevOps, Analytics

Cyber Attack 2009 APT targeted JHUAPL 5 unique pieces of malware on disk Backdoor, Password dumpers, Network exploration utility 13 accounts compromised Domain Administrator Unclassified data exfiltrated Operational impact 2 Weeks disconnected from the Internet

Build Resilient Security Infrastructure Technology Philosophy Legacy SIEM Anti-Virus IPS/IDS Blackhole/Sinkhole Sandboxes Application Whitelisting Security Posture Response Signature based Alert based Mitigation focused Tool focused IOC focused Limited data ingestion Capability Posture

Cyber Operations Cyber Maturity Evolution Response Triage Mitigation Threat Intel Behavioral Hunting Philosophy Changing Use Cases Behaviors Visibility focused Capability Posture

Cyber Attack 2014 Heartbleed CVE-2014-0160 (Common Vulnerability & Exposures) Publicly disclosed in April 2014 Vulnerability in the OpenSSL cryptography library When it is exploited it leads to the leak of memory contents from the server to the client and from the client to the server What is in memory? Encryption keys Usernames Passwords Session Keys Session Cookies

APL Unclassified Network Internet APL Public DMZ VPN Virtual Machines APL Internal QUSER.EXE

The Landscape is Changing Emergence of New Methodologies

Defense Partner March IR Collaboration Never Let a Good Incident Go to Waste Extensive use of commercial cloud and SSL Command & Control Exfiltration Distributing malware Constantly changed infrastructure PowerShell Reflective injection into memory Lateral movement Reconnaissance Persistence Windows Management Instrumentation (WMI) Scheduled tasks Registry (RunOnce) Actor s actions on network more agile than incident responders Defenders had limited network visibility Living off the Land

Change in Philosophy Threat Focused Cyber Operations Research and identify Threats targeting your organization Target advanced tactics, techniques and procedures of adversary Emulate threat in your environment Develop hunting and analytics techniques Changes, Challenges & Culture What is behavioral monitoring anyways? Mitigation vs Detection Not everything can be mitigated Value in Visibility What is Threat Intelligence? More than indicators of compromise Threat Intelligence Threat Emulation, Actor Profiling, Tradecraft Analysis, Orchestration Malware Analysis, Hunting Behavioral Artifacts AV, Sinkhole, IPS, Firewall

Defensive Cyber Operations Inception Philosophy Use Cases Data Analysis Behaviors Visibility based Agility Enrichment Automation Independence DevOps Capability Posture Technology Splunk EDR People New skillsets New approach Process Hunting Agility Vehicle For Change

Change in Technology Legacy SIEM implementation A few specialists creating content Very static and signature content Run scheduled reports for data analysis Only acquire logs that you need Splunk All analysts creating content Dynamic & behavioral content Google like query language for agility More visibility means more data

Change in People Traditional Cyber Skillset Firewall Management IPS/IDS administrator Implementing rule/signature rulesets Strong network competencies Dead box forensics Implement mitigations Adaptive Skillset Data manipulation capabilities OS internals Malware & memory analysis Strong research skills Collaborative teams Red Team skills Constant development of skills

Change in Process Analysts followed procedures Responded to alerts Followed playbooks Implemented mitigations Analysts Performing Analysis Hunting for anomalies Researching threats Understanding adversary tradecraft Emulating threats Developing new analytics, content & alerts Understanding context

2017 SPLUNK INC. Cyber Threat Team Construct Blue sky threats Research threat actors Threat Intelligence Tradecraft research Profiling and Patterns Hunting Continuous monitoring Gap analysis Fidelity identification Comparative analysis 8 Threat Emulation Proof of concept External Adaptive RT Predictive Research Adaptive Red Team Analytics DevOps Scripting Content Creation Compound Correlation Enrichment Orchestration

Putting It All Together

Research What are the adversary s doing? Blue sky threats What if Based on our environment and Threat Intel LoE, ROI, Likelihood Threat Intelligence Research threat actors Tradecraft research Emerging capabilities Threat Models Behaviors Adversary profiling

Adaptive Red Team Proof of concept Predictive Research driven Threat Emulation Lateral movement Privilege escalation Persistence methodologies Initial code execution External Adaptive RT Comprehensive attack & response lifecycle

DevOps Scripting Forensic tool development Data parsing Orchestration Enrichment Application Development Threat Tracking System REnigma Content Creation Use Case Development Compound Correlation YARA development

Analytics Proactive Threat Hunting Process behaviors Network behaviors Account behaviors Gap analysis Visibility Technology People Uniqueness/Rareness/Newness Email FQDN Content review Threat scoring Prioritization

Challenges & Wins

Challenges Splunk Core is not a traditional SIEM Uniqueness identifiers Tagging events Expensive Live queries Sub-Search limitations An imperfect start is better than a perfect unimplemented plan Leverage existing talent in Cyber Operations Managing larger data sets the cost of visibility Solving the same problems differently

Wins Leveled analyst playing field APT targeting DMZ Breach Red Team No formal Splunk training

Hits on existing custom developed content Anomalies associated with credential theft Mimikatz RPC & SMB baseline drift Lateral movement AD Reconnaissance Privileged account usage Uniqueness Rareness Bubble-Up Analytics Adaptive Red Team Exercise The Fruits of Our Labor Aggregation of lower fidelity events of interest Threat models

Summary Key Takeaways

Summary People Centric Philosophy Data Centric Research Centric

Questions

Don't forget to rate this session in the.conf2017 mobile app 2017 SPLUNK INC.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback